Veriva Systems Data Processing Addendum (DPA)

Effective Date: 28 April 2025

1. Definitions

For the purposes of this Addendum:

• “Agreement” means the applicable Subscription Agreement, Master Agreement, or Terms of Use between Veriva Systems Sdn Bhd (“Veriva”) and Customer.
• “Customer Data” means any personal data processed by Veriva on behalf of Customer.
• “Data Protection Laws” means all applicable laws and regulations relating to data protection and privacy, including the GDPR (EU Regulation 2016/679) and Malaysia’s PDPA.
• “Sub-Processor” means any third party appointed by Veriva to process Customer Data.

2. Scope of Processing

Veriva processes Customer Data:

• Only for the purpose of delivering, maintaining, and supporting its services
• According to Customer’s instructions as set forth in the Agreement
• For the duration of the Agreement unless otherwise agreed

3. Roles of the Parties

• Customer acts as the Data Controller.
• Veriva acts as the Data Processor.

Each party shall comply with its respective obligations under applicable Data Protection Laws.

4. Customer Obligations

Customer agrees to:

• Ensure it has a valid legal basis for the processing of Customer Data
• Provide instructions that comply with applicable Data Protection Laws
• Not instruct Veriva to process Customer Data unlawfully

5. Veriva Obligations

Veriva agrees to:

• Process Customer Data solely based on documented instructions from the Customer and only for the purposes necessary to deliver Veriva’s services.
• Implement technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are reviewed periodically and adjusted as needed.
• Ensure that employees and personnel with access to Customer Data are bound by confidentiality obligations through employment agreements and internal policies.
• Assist the Customer in responding to data subject requests in a timely and commercially reasonable manner.
• Notify the Customer without undue delay, and no later than 72 hours after becoming aware of a confirmed personal data breach affecting Customer Data.
• Upon request and subject to confidentiality agreements, provide summaries of internal security practices and policies to demonstrate adherence to applicable Data Protection Laws.

6. Sub-Processing

• Veriva may engage carefully selected Sub-Processors to provide hosting, analytics, and platform services.
• A current list of key Sub-Processors (e.g., Microsoft Azure, OpenAI, Meta, Google) is available upon request.
• Veriva ensures these Sub-Processors provide appropriate data protection commitments through contractual agreements and undertakes reasonable steps to verify their compliance.
• Veriva remains responsible for the performance of Sub-Processors in relation to their data processing obligations.

Key Sub-Processors include:

• Microsoft Azure (Cloud Hosting)
• Other service providers as disclosed upon request

7. Cross-Border Data Transfers

Where Customer Data is processed or transferred outside the originating jurisdiction:

• Veriva shall use legally recognized mechanisms such as Standard Contractual Clauses (SCCs), where applicable, and require its Sub-Processors to comply with similar safeguards.
• As Veriva expands to new data center regions, any additional jurisdictions for data hosting or processing will be selected based on regulatory alignment, data security requirements, and commercial viability.
• Customers concerned about cross-border processing may opt for a Customer-Hosted deployment model to retain full control over data residency and compliance with local laws.

8. Data Subject Rights

Veriva shall:

• Promptly notify Customer of any data subject request (access, correction, deletion, etc.)
• Assist Customer in fulfilling such requests, to the extent possible, without undue delay

9. Security Measures

Veriva implements the following safeguards to ensure the protection of Customer Data:

• Role-based access control (RBAC), user authentication, and activity logging.
• Data encryption during transit (TLS) and at rest.
• Logical separation of customer data within multitenant environments.
• Regular internal reviews of code and security practices.
• Business Continuity and Disaster Recovery (BCDR) procedures.
• Ongoing improvement of security posture as business and threat models evolve.

10. Return or Deletion of Data

Upon termination of the Agreement:

• Veriva will, at Customer’s choice, return or securely delete all Customer Data
• Deletion will occur within a commercially reasonable period unless retention is required by law

11. Liability

Each party’s liability under this DPA shall be subject to the limitations of liability outlined in the underlying Agreement.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Malaysia, without regard to conflict of law principles.

Any disputes under this DPA shall be resolved through arbitration administered by the Asian International Arbitration Centre (AIAC) in Kuala Lumpur, Malaysia.

13. Entire Agreement

This DPA forms part of the Agreement and supersedes any conflicting provisions relating to data protection and privacy.
In case of conflict between the Agreement and this DPA, the DPA shall prevail.